Passwords and policies for the new corporate generation

Passwords are everywhere. Despite great advances in computer technology over the last 20 years, the first use of computer passwords predates the Apollo 11 moon landing. So, while our technical capability with computers has grown over the years, our means for basic authentication, via the use of passwords, has not. The password, which continues to be the tool of choice for secure authentication, is now becoming our weakest point of attack. Since the password will not go away anytime in the immediate future, there are some things that you can do to make yourself more secure.

First, stop using simple passwords. Passwords need to be lengthy (at least 10-12 characters) and complex. Simple words, local or foreign, are not secure. There are many tips and mnemonics available to assist with strong password creation, but it will take practice. The use of strong passwords should be set forth in a policy, and employees should be trained on how to build and use stronger passwords. Firms can really benefit from holding brief training sessions on how to build and maintain a strong password.

Second, do not use the same password for multiple accounts. Ask yourself this question: If the password to just one of your personal accounts was to fall into the wrong hands, could someone gain access to other or all accounts? It’s not hard to guess that most people log in to a banking or retail website using their email address as the account name (thus, you are already 50 percent less secure, making protecting the password even more paramount). The same goes for private networks. Many use a simple derivative of first and last name for the user account. Using the same passwords for multiple accounts should be both highly discouraged and forbidden by policy.

Use two-factor authentication whenever and wherever you can. Many commercial websites will send you a one-time use code to your phone after you successfully enter your credentials. Since (hopefully) you are the only person with access to your phone, only you should be able to successfully enter the code and gain entry into your account. It’s not cumbersome, as many people who oppose change would like you to think, and takes only a few minutes to set up. Any corporate enterprise that allows remote access or teleworking should absolutely be using two-factor authentication for accessing their network. At the workplace, you can pop your head into someone’s office to see if the right person is using the password. You can’t do this with people working outside of the office, making additional forms of identity verification very important. “Is it really Bob accessing the network or is it someone else (friend or foe), with Bob’s password, accessing the network?”

The rapid expansion of password manager software has many viewing this as an easier means to use very long and complex passwords. While this type of software encourages the use of more complicated passwords (yay!) there are some things to keep in mind before making the switch. First, the password vault, in which the passwords are securely stored, is itself secured with a master password. You are literally putting your password eggs in one basket. Lose that password, and all of your passwords are lost. Highly likely? Probably not, but you should know where the faults are before you begin. For organizations with IT departments, you may see a sharp increase in assistance calls, as a software manager with a mistyped password will lock out an account much faster than a human can. Help desks should be ready to assist and educate.

Protecting passwords must be encouraged and emphasized by management. This is not done through technology but through administrative directives and policies. The firm needs to set the tone regarding how employees are to use and take care of passwords that protect their client’s private information and data. A firm is only as strong as its weakest password. I know that those words just sent a shiver through many readers, as everyone knows “that guy.” Remember, enabling and not correcting “that guy” makes the rest of the firm just as guilty of being careless with client data. An organization whose management sets the right expectations, with the right policies, and follows it up with the right education for their staff, drastically improves the defenses against today’s unsafe computer situations. Traffic laws, like speed limits, keep people from acting less than safe with their car for the good of the community. Good policies regarding IT security — in this case, passwords — can do the same.